USB MSC Device Forensics: A Quick Guide for Windows

Hey there, tech detectives! If you're digging into USB devices on Windows 7 to 10, here's a handy guide to help you gather all the important details. Let's get started!

1. Vendor, Product, Version

• Path: SYSTEM\CurrentControlSet\Enum\USBSTOR

• Vendor:

• Product:

• Version:

2. USB Unique Serial Number ID

• Path: SYSTEM\CurrentControlSet\Enum\USB

• USB Unique Serial Number ID:

3. Vendor-ID (VID) and Product-ID (PID)

• Path: SYSTEM\CurrentControlSet\Enum\USB --> Perform search for UB S/N

• VID:

• PID:

4. Volume GUIDs

• Path: SYSTEM\MountedDevices -->Search Serial Number in drive letter

• VolumeGUID:

5. Drive Letter

• Path: SYSTEM\MountedDevices --> Search for Volume GUID in drive letter

• Drive Letter:
  

Or

NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\RecentDocs -> Perform Search for Volume Name

Or

Perform Shortcut (LNK) file analysis-> Perform Search for Volume Name

Drive Letter=

6. Volume Name

• Path: SOFTWARE\Microsoft\Windows Portable Devices\Devices --> Search USB serial number an match with volume name

• Volume Name:

• Drive Letter (VISTA ONLY):
  

7. Volume Serial Number

• Path: SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt --> Search volume name/Serial Number. Convert Serial number to hex value for link analysis.

• Volume Serial Number (HEX):
  

8. User of USB Device

• Path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -->Search for GUID

• User:
  

9. First Time Device Connected

• Path: C:\Windows\inf\setupapi.dev.log -->Search unique serial number

• Time/Timezone:

SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29} \0064 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate

10. Last Time Device Connected

• Path: SYSTEM\CurrentControlSet\Enum\USB\VID_XXXX&PID_YYYY -->Search serial number

• Time/Timezone:

or

NTUSER//Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID} -> Perform search for Device { GUID}

Time/Timezone =

SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven_Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29}\0066 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate

11. Time Device Removed

SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29}\0067 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate

Tips for Timestamps

• For Windows 64-bit Hex Value timestamps, use DCodeDate to decode them.

There you go! Keep this guide handy, and you'll be a USB forensics whiz in no time. Happy investigating!

Akash Patel